Skip to content

chore(release): promote develop → main — R8 Windows installer + trust-root hardening (v1.8.5)#301

Merged
saadqbal merged 3 commits into
mainfrom
develop
Jul 2, 2026
Merged

chore(release): promote develop → main — R8 Windows installer + trust-root hardening (v1.8.5)#301
saadqbal merged 3 commits into
mainfrom
develop

Conversation

@saadqbal

@saadqbal saadqbal commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Promotes the R8 supply-chain hardening to main for the v1.8.5 release.

Contents:

Chart templates are unchanged since v1.8.4 — this release ships the hardened installers as signed release assets.

After merge — cut the release (this is what activates Windows R8 in prod):

  1. Create GitHub Release v1.8.5 targeting main (generate notes) → triggers release-helm-chart.yaml:
    • sign-installer-manifest stamps + publishes install.sh and install.ps1, generates + cosign-signs manifest.sha256 (now covering install-k8s.ps1), attaches .sig/.cert.
    • chart job publishes client-1.8.5.tgz + ingestor to gh-pages.
  2. Verify: https://github.com/tracebloc/client/releases/latest/download/install.ps1 returns 200, and the new PowerShell stamp/self-test steps went green.

Merge as a merge commit to match the prior promotions (#294, #278). Closes #283 (Windows R8) on release.

🤖 Generated with Claude Code


Note

High Risk
Changes define what privileged Windows installs trust (cosign, manifest, release stamping and workflow assets); mistakes could weaken or break production irm | iex paths.

Overview
v1.8.5 promotes RFC-0001 R8 supply-chain hardening to main, with the main functional change being Windows parity with the existing install.sh bootstrap.

install.ps1 is no longer a thin “download install-k8s.ps1 from a branch” script. It now pins to an immutable release tag ($DefaultRef, stamped at publish time), cosign-verifies manifest.sha256, checks install-k8s.ps1 against that manifest before anything runs elevated, and fails closed without TRACEBLOC_ALLOW_UNVERIFIED=1. gen-manifest.sh and manifest.sha256 now include the Windows sub-script, with CI drift checks against install.ps1’s $Files list.

The release workflow stamps and self-tests install.ps1 like install.sh, ships install.ps1 on the GitHub release next to the signed manifest assets, and SHA-pins key Actions. CODEOWNERS expands to cover the R8 trust-root paths. Installer CI runs PSScriptAnalyzer on both PowerShell entrypoints and Pester over scripts/tests (new install.Tests.ps1). Chart version / appVersion bump 1.8.4 → 1.8.5 only.

Reviewed by Cursor Bugbot for commit 6f62dfd. Bugbot is set up for automated code reviews on this repo. Configure here.

saadqbal and others added 3 commits July 2, 2026 16:51
security(R8): CODEOWNERS trust root + SHA-pin signing actions (client#282)
… + cosign-verify) (#299)

The Windows bootstrap (install.ps1) fetched install-k8s.ps1 from a mutable branch
with no signature/checksum verification — the R8 supply-chain gap for Windows
(RFC-0001 R8, backend#889 / client#283). Mirror scripts/install.sh:

- install.ps1: pin to the stamped immutable release tag (fail-closed if the
  installer is unstamped or handed a mutable ref, unless TRACEBLOC_ALLOW_UNVERIFIED=1);
  fetch install-k8s.ps1 from the tag tree; cosign verify-blob the signed manifest
  (same keyless identity/issuer pins as install.sh, with a nonzero-sentinel guard so
  a cosign that can't launch fails closed); sha256-check each sub-script; fail closed
  at every gate. Functions load under $env:TB_PESTER for unit testing.
- gen-manifest.sh: cover install-k8s.ps1 via a parallel WINDOWS_FILES list so one
  signed manifest anchors both entrypoints; keep the strict install.sh sync-check
  intact and add the equivalent install.ps1 $Files sync-check.
- release-helm-chart.yaml: stamp install.ps1's $DefaultRef with the release tag
  (awk literal-replace, tag via env, anchored to the assignment so the fail-closed
  guard sentinel survives) + a pwsh self-test + publish install.ps1 as a release
  asset (so `irm .../releases/latest/download/install.ps1 | iex` is pinned).
- Pester tests for ref-resolution / fail-closed / integrity; wire PSScriptAnalyzer
  and the Pester run to cover install.ps1.
- CODEOWNERS: add install.ps1 + install-k8s.ps1 to the R8 trust-root section.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Release carrier for the R8 supply-chain hardening now on develop (#287
CODEOWNERS/SHA-pins, #299 Windows install.ps1 pin+cosign-verify). The client
chart templates are unchanged since v1.8.4; the bump versions the release that
stamps + publishes the hardened install.sh/install.ps1 + signed manifest as
release assets (RFC-0001 R8, client#283).

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
@saadqbal saadqbal self-assigned this Jul 2, 2026
@saadqbal saadqbal added the skip-fr-gate Bypass FR gate for this PR (use only for bootstrap or emergencies — visible in audit) label Jul 2, 2026
@saadqbal

saadqbal commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

Applying skip-fr-gate: the linked items (#287, #299, #300) are already merged to develop, and the R8 Windows installer can't take a literal FR-on-dev run (no dev Windows functional env). It's exhaustively verified instead — Pester on windows-latest + ubuntu, PSScriptAnalyzer, gen-manifest --check, the release-time awk-stamp simulated locally, and an adversarial PowerShell-security review (one fail-open found + fixed). All non-gate CI is green.

@saadqbal saadqbal merged commit 75e28d8 into main Jul 2, 2026
57 of 58 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

skip-fr-gate Bypass FR gate for this PR (use only for bootstrap or emergencies — visible in audit)

Projects

None yet

Development

Successfully merging this pull request may close these issues.

R8 for the Windows installer: install.ps1 still pulls from a mutable branch, unverified (RFC-0001 R8 — Windows)

3 participants